How to Prevent WordPress Website from Hacking

There may be tons of different Content Management Systems available out there, but not even one of them can hold a candle to WordPress. Well, 17 million active WordPress websites must give you an idea how widely popular WordPress is.

Due to WordPress’s flexible and versatile architecture, it allows you to build a wide variety to websites such as personal portfolios, corporate websites, e-commerce stores, informative blogs and so much more. Also, the vast availability of a plethora of WordPress themes and plugins makes WordPress more popular among its users since it enables them to build aesthetically appealing and functional websites without having to write a single of code.

How to Prevent WordPress Website from Hacking

However, even though WordPress itself is a highly secure software, the open source nature of this platform makes it highly vulnerable to security threats and breaches.

According to a recent statistics, half of the WordPress websites are hacked every year. Thus, instead of becoming a part of this statistics, it’s time to work on your website and harden its security in any way possible.

Here is a list of some ways to prevent your website from getting hacked. In this post, I am going to share methods for securing your website that you may not find anywhere else. So, let’s dive in.

1. Hide WordPress admin and password

The majority of website hacks are done through wp-admin. As a matter of fact, gaining access to your website through wp-admin is as easy as 1,2,3. All a hacker has to do to know your WordPress admin is to add “?author=1” after your main URL. Thus it is extremely important to hide them and prevent brute force attack on your website’s admin.

However, in order to hide your admin and password, you need to add a small code snippet to your WordPress’s functions.php file. Here is the code you have to add:

add_action(‘template_redirect’, ‘bwp_template_redirect’);

function bwp_template_redirect()


if (is_author())


wp_redirect( home_url() ); exit;



2. Secure your wp-includes file

WP-includes in one of the most important files of any WordPress website. It includes extremely confidential information. Thus it shouldn’t be accessed by anyone, not even by you.

Prevent any malicious bots or hackers to add scripts to your wp-includes file by adding the following code to your .htaccess file.

# Block the include-only files.

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^wp-admin/includes/ – [F,L]

RewriteRule !^wp-includes/ – [S=3]

RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]

RewriteRule ^wp-includes/theme-compat/ – [F,L]


# BEGIN WordPress

3. Secure your WordPress admin

Everybody knows that WordPress uses or URLs to give access to your backend. Knowing this fact makes it easier for the hackers to hack into your website. However, moving or renaming your default login URL will give hackers a really hard time to gain access to your website.

You can use a plugin called LockDown WP Admin to rename your default login URL. The plugin enables change your wp-admin or wp-login.php to any other name you like.

4. Protecting your .htaccess file

.htaccess file is yet another important file of your WordPress website that can give your website’s access to hackers. Thus, it is important to prevent any external access to this file.

Yes, you have to add a small code snippet in the .htaccess file to secure it.


<Files ~ “^.*\.([Hh][Tt][Aa])”>

order allow,deny

deny from all

satisfy all


5. Prevent script injection

Script injection is one of the most common and popular hacking methods that lets the hacker insert a code snippet in one of your WordPress files to hack into your WordPress website. However adding the following code to your .htaccess file can easily prevent hackers from adding unwanted scripts to your files.

# protect from sql injection

Options +FollowSymLinks

RewriteEngine On

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

RewriteRule ^(.*)$ index.php [F,L]


I know the methods I have shared are a little technical and requires you to add certain lines of code here and there. But trust me it’s worth all the pain and efforts you’d put into tightening the security of your website.

If you do not know how to add codes into your WordPress files, it’s time to get yourself familiar with the basics of editing and modifying your PHP files.

Author Bio: Jason is a WordPress expert, associated with WordSuccor Ltd. and has a lot of experience in converting PSD to WordPress Theme. He has delivered numerous range of quality products related to this. He has a strong passion for writing useful and insights about WordPress tips and tricks.

10 thoughts on “How to Prevent WordPress Website from Hacking”

  1. From you content I got clear knowledge how to Make a Smart Website. That will helpful for the website owner who would like to grape the audience attraction. Thanks a lot for sharing this content with us.

  2. Hello Arup,
    Really an awesome tutorial to protect our WordPress website from hackers, your tips are really helpful. The plugin “LockDown WP Admin” which you’ve mentioned in your article is really awesome. I must say you’ve done a great job with this.
    Thanks to share this precious information with us.

  3. Hello Arup,
    Thanks for sharing such an informative article which will help me and other bloggers to protect our blogs or sites from getting hacked, really an important points to be focused on as hacking can destroy the whole online reputation which will affect the SEO of the web.
    Thanks for sharing

    • No, there is some security and theme/plugin audit tools available for WordPress but they don’t directly protect your blog from getting hacked. You can lock the wp-admin folder and use plugin and themes obtained from trusted sources to keep the website safe.

  4. hello, in the 1 point there is a code to add to functions.php.
    in my database i have more than one file with that name.
    How can i found the correct one?


Leave a Comment